- Status Closed
-
Assigned To
cbay - Private
Opened by monty099 - 20.08.2024
Last edited by cbay - 20.08.2024
FS#71 - Title: Unauthorized Email Sending Exploit** in [alwaysdata.com]
*Title: Unauthorized Email Sending Exploit in [alwaysdata.com]
Summary:
A vulnerability has been discovered in the site's email handling system. The site assigns each user a unique email address. However, it is possible to send an email from any email account, bypassing the intended email restrictions and validation mechanisms.
Vulnerability Details:
- Type: Email Spoofing
- Impact: Unauthorized email sending
- Affected Component: Email Handling System
Description:
The application generates a unique email address for each user. However, it is possible to exploit the system to send emails from any arbitrary email address. This issue arises due to insufficient validation of the email sender’s address.
Proof of Concept:
1. Exploit Steps:
- Use an email client or script to send an email through the application.
- Modify the "From" address to any arbitrary email address, not restricted to the user's assigned address.
2. Result:
- The email is sent successfully.
Follow the steps in the video: https://admin.alwaysdata.com/support/77431/376905-bandicam%202024-08-20%2003-19-32-375.mp4
Impact:**
This vulnerability allows an attacker to send emails appearing as if they are from any user.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
That's expected.
Kind regards,
Cyril